{%- set ssl_protocols = salt['pillar.get']('default:OMV_NGINX_SITE_WEBGUI_SSL_PROTOCOLS', 'TLSv1.2 TLSv1.3') -%}
{%- set ssl_prefer_server_ciphers = salt['pillar.get']('default:OMV_NGINX_SITE_WEBGUI_SSL_PREFER_SERVER_CIPHERS', 'off') -%}
{%- set ssl_ciphers = salt['pillar.get']('default:OMV_NGINX_SITE_WEBGUI_SSL_CIPHERS', 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305') -%}
{%- set ssl_ecdh_curve = salt['pillar.get']('default:OMV_NGINX_SITE_WEBGUI_SSL_ECDH_CURVE', 'X25519:secp384r1:prime256v1') -%}
{%- set hsts_header = salt['pillar.get']('default:OMV_NGINX_SITE_WEBGUI_SECURITY_HSTS', 'max-age=15768000; includeSubDomains') -%}
{%- set csp_enabled = salt['pillar.get']('default:OMV_NGINX_SITE_WEBGUI_SECURITY_CSP_ENABLE', 'yes') -%}
{%- set csp_header = salt['pillar.get']('default:OMV_NGINX_SITE_WEBGUI_SECURITY_CSP', 'default-src \'self\'; script-src \'self\' \'unsafe-eval\' \'unsafe-inline\'; style-src \'self\' \'unsafe-inline\'; img-src \'self\' data:;') -%}
{%- set xframe_enabled = salt['pillar.get']('default:OMV_NGINX_SITE_WEBGUI_SECURITY_XFRAMEOPTIONS_ENABLE', 'yes') -%}
{%- set xframe_header = salt['pillar.get']('default:OMV_NGINX_SITE_WEBGUI_SECURITY_XFRAMEOPTIONS', 'SAMEORIGIN') -%}
{%- set permissions_policy_header = salt['pillar.get']('default:OMV_NGINX_SITE_WEBGUI_SECURITY_PERMISSIONS_POLICY', 'microphone=(), camera=(), geolocation=(), payment=()') -%}
{{ pillar['headers']['multiline'] }}
{%- if config.enablessl | to_bool %}
# PFS (Perfect Forward Secrecy)
# https://ssl-config.mozilla.org/#server=nginx&version=1.22.0&config=intermediate&openssl=3.0.11&ocsp=false&guideline=5.7
ssl_protocols {{ ssl_protocols }};
ssl_prefer_server_ciphers {{ ssl_prefer_server_ciphers }};
ssl_ciphers "{{ ssl_ciphers }}";
ssl_ecdh_curve "{{ ssl_ecdh_curve }}";
{% endif %}
{%- if config.enablessl | to_bool and config.forcesslonly | to_bool %}
# HSTS (HTTP Strict Transport Security)
# https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
# https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
add_header Strict-Transport-Security "{{ hsts_header }}" always;
{%- endif %}
{%- if csp_enabled | to_bool %}
# Content Security Policy (CSP)
# https://www.owasp.org/index.php/Content_Security_Policy
add_header Content-Security-Policy "{{ csp_header }}" always;
{%- endif %}
{%- if xframe_enabled | to_bool %}
# https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
add_header X-Frame-Options "{{ xframe_header }}" always;
{%- endif %}
# http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx
add_header X-Content-Type-Options "nosniff" always;
# https://wiki.mozilla.org/Security/Features/XSS_Filter
# http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx
add_header X-XSS-Protection "1; mode=block" always;
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
add_header Permissions-Policy "{{ permissions_policy_header }}" always;
